Use Gary's enforcer plugin to lock down the dependency chain

[GoogleCodeExporter]

Gary Rowe has produced a nice Maven plugin that can check the hashes of 
downloaded dependencies. It's exactly what we need:

https://github.com/gary-rowe/BitcoinjEnforcerRules

We should start using it post 0.9

Original issue reported on code.google.com by hearn@google.com on 17 Jun 2013 at 1:07

[GoogleCodeExporter]

I'll get the Enforcer rules into Maven Central as a 0.0.1 release so it can be 
trialled in some Bitcoinj projects (currently Bitcoinj itself, MultiBit and 
MultiBit Merchant). 

I'd be grateful for anyone looking over the code and raising Issues/Pull 
requests.

Original comment by g.rowe.f...@gmail.com on 17 Jun 2013 at 8:08

[GoogleCodeExporter]

I'm not sure it'll ever be possible to use Maven Central normally with 
bitcoinj, unless Maven itself comes with your plugin. All we're doing with this 
is moving the root of trust backwards to your plugin and the definitions we 
ship. But the user still has to obtain your enforcer plugin from somewhere!

Original comment by hearn@google.com on 17 Jun 2013 at 9:14

[GoogleCodeExporter]

Fair enough but bear in mind that it can be made to integrity check itself so 
that's something. The only alternative within the Maven ecosystem is to find 
some way of performing a git checkout and build from source of Bitcoinj during 
the outer build process. 

If we can get the message across that Bitcoinj is not a normal library, but can 
be handled safely with the given precautions then I think we'll have done our 
due diligence for developers.

Original comment by g.rowe.f...@gmail.com on 17 Jun 2013 at 9:58

[GoogleCodeExporter]

How can it check itself? If the assumption is that the enforcer plugin may be 
compromised it can't reliably check itself.

Ultimately I think we need to build a hash/signature-based chain of trust, and 
unfortunately, as Maven cannot be given a hash of something to download without 
your plugin, that means the chain has to involve git somewhere (or a 
wget+shasum).

Now the enforcer is still a lot better than the alternative because you can 
just check it out/download it once, then copy/paste the magic incantations from 
our website and you're done, then to upgrade to a new bitcoinj you can just 
update those incantations in your pom. No need to compile/install bitcoinj 
yourself. Plus of course it verifies all the dependencies. So it's a big step 
forward. But I don't see how it lets us use pure Maven Central like normal code 
would.

Original comment by hearn@google.com on 18 Jun 2013 at 9:09

[GoogleCodeExporter]

On the GitHub repository I've provided signed "certificates" of the correct 
entry to place in the <urn> section of the configuration so that the rule will 
check itself. So long as you trust (but verify) that I have built the code 
correctly then the following certificate should be sufficient:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I, Gary Rowe, hereby certify that this entry in the DigestRule configuration

<urn>uk.co.froot.maven.enforcer:digest-enforcer-rules:0.0.1:jar:null:runtime:16a
9e04f3fe4bb143c42782d07d5faf65b32106f</urn>

will validate against the entry that is in Maven Central for version 0.0.1.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlHGzAAACgkQIYO80lmoHXv4dgCg8Hj6T6p8UVmX68RfwyDgrR8j
/zIAnjR57oBsqtML4XYx+ovj/QmgJDJg
=papV
-----END PGP SIGNATURE-----

The code is now released into Maven Central under MIT license and is available 
for everyone to use in their own projects. 

Please let me know via GitHub if there are any bugs/features that you would 
like addressed. 

See the README at https://github.com/gary-rowe/BitcoinjEnforcerRules for full 
details.

Original comment by g.rowe.f...@gmail.com on 23 Jun 2013 at 10:37

[GoogleCodeExporter]

I think this is activated in git master for some time already.

Original comment by hearn@google.com on 12 Dec 2013 at 3:08

• Changed state: Fixed